> > So, something marked with -j MARK can't be matched on nat table, right? You have to mark it in the PREROUTING chain of the mangle table, to be able to match on it within the PREROUTING chain of the nat table. --- Orig msg --- > What if after you mark the packet with -j MARK, you do "-m mark --mark X -j > CONNMARK --save-mark"; it should be visible from nat table or must be marked > with -j CONNMARK --set-mark? > > >> > What marks, per-packet marks or per-connection marks? >> > >> I am not sure, how to distinguish, I just mark all pakets that pass > > -j MARK => per-packet > -j CONNMARK => per-connection > >> through a certain user defined chain. I guess this is a mark per packet. >> The particular chain lookes like this: >> >> >> Chain FWD_WWW-101 (2 references) >> target prot opt source destination >> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 quota: >> 100000000 bytes >> MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK >> set 0x65 >> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 quota: >> 1000000 bytes >> MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK >> set 0x1 > > MARK is only allowed in the mangle table. > >> >> >> The goal is to provide full network speed for all NATed computers >> for a certain amount of bytes (first quota match), then mark their >> packets individually (each computer has its own mangle chain >> (FWD_WWW-$computernumber)) with its computernumber in hex, so tc can >> slow down their connection to 56k and after the "slow quota" is used >> up, the users packets get a different mark (mark 1) and get a DNAT >> to an Over Quota webpage, when the user tries to access an outside >> webpage, other connectionattempts get droped. >> >> >> The problem is now, that pakets get marked with the mark 0x1, but in >> PREROUTING nat table, this mark never appears. > > http://www.imagestream.com/~josh/PacketFlow.png > > PREROUTING comes before FORWARD. > >> >> Thanks, Clemens >> >> > > Jan Engelhardt > -- > > > > Jan Engelhardt --
